Bill on the GDPR and surveillance of employees

27 Mar 2018

Monitoring employees: impact of the Bill implementing the General Data Protection Regulation (GDPR)

Dorothée David

The government has submitted several amendments to the Chamber of Deputies regarding Bill no. 7184 implementing the GDPR in Luxembourg. Some of the amendments are designed to take into account the impact of the Bill on the Labour Code, insofar as it repeals the modified law of 2 August 2002 on the protection of natural persons with regard to the processing of personal data.

To this end, amendment 28 stipulates a change to article L. 261-1 of the Labour Code regarding monitoring employees in the workplace. The main changes proposed are:

- Personal data may be processed by the employer in order to monitor employees if the employer is the data controller, in accordance with the provisions of the GDPR (and no longer of the repealed law of 2 August 2002). Furthermore, the employer would no longer be limited by the 5 possibilities for monitoring, restrictively listed by the current article L. 261-1 of the Labour Code, and would no longer be forced to secure authorisation in advance from the CNPD.

- Data processing for the purposes of monitoring motivated by the need to ensure employees’ health and safety, by temporarily checking the employee’s output or services when such a measure is the only way of defining the exact salary, or by flexitime working hours, would still be subject to the joint decision system, in accordance with the applicable provisions of the Labour Code.

However, if the joint works council (if one still exists), or the employer and the staff delegation do not come to an agreement, the most diligent  party could submit a request for prior opinion regarding the compliance of the monitoring project to the CNPD, which should come to a decision within a month of the request. If no agreement is arrived at, if applicable after referring to the Office national de conciliation (National Conciliation Office), the monitoring project  would not be able to be implemented.

- In companies that are not eligible for joint decisions and, in general, for the processing of personal data designed to control employees’ activities in the workplace, the staff delegation or the employees (in companies not obliged to have a staff delegation) would now have the right to request an advance compliance opinion from the CNPD.

The request for an advance compliance opinion would have suspensive effect, which means that the planned measure could not be implemented before the CNPD gives its opinion. The latter would have one month from the request to announce it.

This amendment, if actually adopted, will strengthen social dialogue and the powers of the staff representatives when it comes to implementing the processing of personal data to control the behaviour and performance of employees in the workplace. The goal is to take into account the removal of the advance declaration and control system for data processing by the CNPD once the GDPR becomes applicable on 25 May. Within this context, the amendment is designed to improve protection for employees against potential abuse, as specifically authorised by article 88 of the GDPR.

Bill 7184 regarding the GDPR - government amendments of 12 March 2018

Notification of data breaches: CNPD form and FAQs

As of 25 May 2018, one of the new obligations for the data controller introduced by the GDPR will be to report breaches relating to personal information to the CNPD within 72 hours of finding out about them, if the breach in question could pose a risk to the rights and freedom of the individuals concerned.

Employers responsible for processing their employees’ data will therefore also be affected by this new requirement.

With this in mind, the CNPD has drawn up a notification form (in French and in English) and has answered some frequently asked questions about the subject on a dedicated page. You can access these documents and this information by clicking here.